DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th January 2012
lasstoff lasstoff is offline
New User
 
Join Date: Jan 2012
Posts: 3
Default Openvpn pf/nat/route-to issue

I'm having a pf/nat/route-to problem with openbsd 4.6 and openvpn
2.1_rc15.

VPN setup works and I'm able to send (and receive data) when doing it
directly from my openbsd firewall:

# ping 192.36.171.154
Code:
PING 192.36.171.154 (192.36.171.154): 56 data bytes
64 bytes from 192.36.171.154: icmp_seq=0 ttl=60 time=21.692 ms
# tcpdump -ni tun0 icmp
Code:
tcpdump: listening on tun0, link-type EN10MB
22:56:59.951191 178.73.197.139 > 192.36.171.154: icmp: echo request
22:56:59.972697 192.36.171.154 > 178.73.197.139: icmp: echo reply
But when doing the same ping from a client behind my openbsd firewall it
fails. The really strange thing is that pflog0 says the packet is sent
out on tun0, but the tcpdump on tun0 never sees the icmp packet:

# tcpdump -ettt -ni pflog0
Code:
tcpdump: listening on pflog0, link-type PFLOG Jan 15 23:00:25.921497 rule 156.vpn.10/(match) pass in on vr2: 172.16.1.20 > 192.36.171.154: icmp: echo request (DF)
Jan 15 23:00:25.921558 rule 100/(match) pass out on tun0: 178.73.197.139 > > 192.36.171.154: icmp: echo request (DF)
# tcpdump -ni tun0 icmp
Code:
tcpdump: listening on tun0, link-type EN10MB
Any ideas anyone?



tun0 settings:
Code:
# ifconfig tun0
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr 00:bd:e2:30:c0:01
        priority: 0
        media: Ethernet autoselect
        status: active
        inet 178.73.197.139 netmask 0xffffff80 broadcast 178.73.197.255
        inet6 fe80::2bd:e2ff:fe30:c001%tun0 prefixlen 64 scopeid 0x7
relevant parts of pf.conf:
Code:
nat on tun0 from 172.16.1.0/24 to any -> tun0
pass in log quick on dmzif route-to tun0 inet proto icmp from 172.16.1.0/24 to any icmp-type echoreq tag VPN_TRAFFIC
pass out log quick on tun0 inet proto icmp from tun0 to any icmp-type echoreq tagged VPN_TRAFFIC

Code:
# sysctl -a | grep net.inet.ip.forwa
net.inet.ip.forwarding=1
parts of openvpn-config:
Code:
dev tun0
dev-type tap
Reply With Quote
  #2   (View Single Post)  
Old 16th January 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Last year in OpenBSD port of OpenVPN revisited I posted a solution for an OpenVPN issue but that was using tun0 as non-tap device IIRC.

If you run tcpdump on tun0 with the '-e' flag turned on you should be able to see the MAC or lladdress That could help in debugging.

And I wonder why you need the route-to in
Code:
pass in log quick on dmzif route-to tun0 inet proto icmp from 172.16.1.0/24 \
to any icmp-type echoreq tag VPN_TRAFFIC
If the default route of the boxes in the DMZ points to the address of the DMZ interface, this should be enough. I did some DMZ setups in my network lab, and never had to use 'route-to'. When my DMZ setups did not work, it always was because of forgetting to add this default route
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 16th January 2012
lasstoff lasstoff is offline
New User
 
Join Date: Jan 2012
Posts: 3
Default

I'm doing source routing with the route-to. The setup is that I have two internal networks, one of the networks (dmzif) are only allowed to connect to the Internet through the openvpn connection. (The openvpn connection is an ip anonymization service, called anonine). This exact pf configuration with route-to (source routing) worked perfectly when using pptp connection instead of openvpn).

I think the default route on dmz are fine, otherwise i wouldn't see any packets in the pflog0 log.

I just tried to remove the route-to from the configuration line and added a static route for 192.36.171.154 to tun0. And now it works from my client!!

I also tried to keep the static route and put back route-to in the config: Does not work.

Conclusion:
Using route-to with a tun device in "dev-type tap" mode does not work. Probably a bug i think.
Reply With Quote
  #4   (View Single Post)  
Old 16th January 2012
lasstoff lasstoff is offline
New User
 
Join Date: Jan 2012
Posts: 3
Default

Solved!

Added default gateway on the route-to.. from:
Code:
pass in log quick on $dmz_if route-to tun0 inet proto icmp from $dmz_network to any icmp-type echoreq tag VPN_TRAFFIC
pass out log quick on tun0 inet proto icmp from tun0 to any icmp-type echoreq tagged VPN_TRAFFIC
to:
Code:
pass in log quick on $dmz_if route-to (tun0 <anonine_gateway>) inet proto icmp from $dmz_network to any icmp-type echoreq tag VPN_TRAFFIC
pass out log quick on tun0 inet proto icmp from tun0 to any icmp-type echoreq tagged VPN_TRAFFIC
Also had to modify my openvpn route-up.sh script slightly:
Code:
#!/bin/sh
pfctl -t anonine_gateway -T replace $route_vpn_gateway
/sbin/pfctl -a vpn -f /etc/pf.conf.vpn
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Multi-Path or Route-To? SlyM OpenBSD General 25 1st July 2016 04:21 PM
Does pf conflict with OpenVPN? Emile OpenBSD Packages and Ports 37 2nd February 2011 11:03 PM
How to add static route using virtual NIC bsdplus Solaris 1 22nd August 2010 02:10 AM
ping: sendto: No route to host joostvgh OpenBSD General 2 29th April 2010 12:34 PM
Cannot set up OpenVPN guitarscn OpenBSD Security 8 5th October 2009 05:19 PM


All times are GMT. The time now is 02:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick